https://live.paloaltonetworks.com/t5/general-topics/lsvpn-tunnel-recovery/m-p/160705#M52366 <P>I've set up my first LSVPN deployment and everything has gone without a hitch. &nbsp;The only issue I ran into, we were doing an upgrade of PAN-OS on the gateway and satellites. &nbsp;Satellites all went fine, but my gateway bombed out (first time its happened to me). &nbsp;We were in an HA pair, but I had duplicate IPs on the network once the passive box rebooted, but I could never communicate or pass traffic with the passive box. Once I got the bad actor off the network and replaced with an on-site spare and the environment back up and stable, the Satellites didn't reconnect. &nbsp;It took upwards of 45 minutes to get them back online. &nbsp;It appears once the tunnel goes down on the satellite there's no way to recover until the next portal or gateway check-in. &nbsp;I was in process to manually reconnect the firewalls, but they came up while I was en route.<BR /><BR />So, I've read the tunnel monitor difference between IPSEC and LSVPN and looked over the LSVPN deployment guide, but I guess I'm missing how the satellites will recover if connectivity to the gateway is lost. &nbsp;Currently, I don't have a tunnel monitor set up on the Gateway. &nbsp;Should I change this monitor to the physical&nbsp;IP of the gateway instead of letting the monitor default to the tunnel interface of the gateway? &nbsp;Would this improve recovery time?<BR /><BR />Thanks for any help!&nbsp;</P> Mon, 12 Jun 2017 14:28:08 GMT dan731028 2017-06-12T14:28:08Z https://live.paloaltonetworks.com/t5/general-topics/lsvpn-tunnel-recovery/m-p/160705#M52366 <P>I've set up my first LSVPN deployment and everything has gone without a hitch. &nbsp;The only issue I ran into, we were doing an upgrade of PAN-OS on the gateway and satellites. &nbsp;Satellites all went fine, but my gateway bombed out (first time its happened to me). &nbsp;We were in an HA pair, but I had duplicate IPs on the network once the passive box rebooted, but I could never communicate or pass traffic with the passive box. Once I got the bad actor off the network and replaced with an on-site spare and the environment back up and stable, the Satellites didn't reconnect. &nbsp;It took upwards of 45 minutes to get them back online. &nbsp;It appears once the tunnel goes down on the satellite there's no way to recover until the next portal or gateway check-in. &nbsp;I was in process to manually reconnect the firewalls, but they came up while I was en route.<BR /><BR />So, I've read the tunnel monitor difference between IPSEC and LSVPN and looked over the LSVPN deployment guide, but I guess I'm missing how the satellites will recover if connectivity to the gateway is lost. &nbsp;Currently, I don't have a tunnel monitor set up on the Gateway. &nbsp;Should I change this monitor to the physical&nbsp;IP of the gateway instead of letting the monitor default to the tunnel interface of the gateway? &nbsp;Would this improve recovery time?<BR /><BR />Thanks for any help!&nbsp;</P> Mon, 12 Jun 2017 14:28:08 GMT https://live.paloaltonetworks.com/t5/general-topics/lsvpn-tunnel-recovery/m-p/160705#M52366 dan731028 2017-06-12T14:28:08Z https://live.paloaltonetworks.com/t5/general-topics/lsvpn-tunnel-recovery/m-p/160821#M52399 <P>so there are 2 "is it dead methods"</P><P>DPD - on Phase 1</P><P>and&nbsp;</P><P>Tunnel Monitor - on phase 2</P><P>tunnel monitor does give you more troubleshooting allowances</P><P>(an IP address is assigned and 'pingable')</P><P>thus an actual packet traverses the tunnel</P><P>&nbsp;</P><P>are you using static or dynamic routing?</P><P>&nbsp;</P><P>is passive setting enabled....checked?</P> Mon, 12 Jun 2017 21:54:53 GMT https://live.paloaltonetworks.com/t5/general-topics/lsvpn-tunnel-recovery/m-p/160821#M52399 DarinSutton 2017-06-12T21:54:53Z